A Flexible Wildcard-Pattern Matching Accelerator via Simultaneous Discrete Finite Automata

Regular expression matching becomes indispensable elements of Internet of Things network security. However, traditional ternary content addressable memory (TCAM) search engine is unable to handle patterns with wildcards, as it precisely tracks only one active state with single transition. This paper proposes a promising simultaneous pattern matching methodology for wildcard patterns by two separated engines to represent discrete finite automata. A key preprocessing to encode possible postfix pattern by a unique key ensures that follow-up patterns can accurately traverse all possible matches with limited hardware resources. This approach is practical and scalable for achieving good performance and low space consumption in network security, and it can be applicable to any regular expressions even with multiwildcard patterns. The experimental results demonstrate that this scheme can efficiently and accurately recognize wildcard patterns by simultaneously tracking only two active states. By adopting SRAM TCAM in the proposed architecture, the energy consumption is reduced to around 39%, compared with the energy consumption using a computing system that contains a large memory lookup and comparison overhead.

[1]  Yan Luo,et al.  Design of high performance pattern matching engine through compact deterministic finite automata , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[2]  Dafang Zhang,et al.  Scalable TCAM-based regular expression matching with compressed finite automata , 2013, Architectures for Networking and Communications Systems.

[3]  Hong Liu,et al.  Cyber-Physical-Social Based Security Architecture for Future Internet of Things , 2012, IOT 2012.

[4]  Jan van Lunteren,et al.  Hardware-accelerated regular expression matching at multiple tens of Gb/s , 2012, 2012 Proceedings IEEE INFOCOM.

[5]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[6]  Victor C. Valgenti,et al.  NFA-Based Pattern Matching for Deep Packet Inspection , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[7]  Christoph Hagleitner,et al.  Memory-efficient distribution of regular expressions for fast deep packet inspection , 2009, CODES+ISSS '09.

[8]  Viktor K. Prasanna,et al.  Space-time tradeoff in regular expression matching with semi-deterministic finite automata , 2011, 2011 Proceedings IEEE INFOCOM.

[9]  SangKyun Yun,et al.  An Efficient TCAM-Based Implementation of Multipattern Matching Using Covered State Encoding , 2012, IEEE Transactions on Computers.

[10]  Kai Wang,et al.  Practical regular expression matching free of scalability and performance barriers , 2014, Comput. Commun..

[11]  Eric Torng,et al.  Bypassing Space Explosion in Regular Expression Matching for Network Intrusion Detection and Prevention Systems , 2012, NDSS.

[12]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[13]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, ISCA 2006.

[14]  Xindong Wu,et al.  Pattern matching with wildcards and length constraints using maximum network flow , 2015, J. Discrete Algorithms.

[15]  Sarmad Ullah Khan,et al.  Future Internet: The Internet of Things Architecture, Possible Applications and Key Challenges , 2012, 2012 10th International Conference on Frontiers of Information Technology.

[16]  Stefano Giordano,et al.  An improved DFA for fast regular expression matching , 2008, CCRV.

[17]  S. Tripathy,et al.  Design challenges and security issues in the Internet of Things , 2015, 2015 IEEE Region 10 Symposium.

[18]  Wei Zhang,et al.  A Memory Efficient Multiple Pattern Matching Architecture for Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[19]  Yuqing Zhu,et al.  BigDataBench: A big data benchmark suite from internet services , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[20]  Jie Wu,et al.  Fast Deep Packet Inspection with a Dual Finite Automata , 2013, IEEE Transactions on Computers.

[21]  Kubilay Atasu Resource-efficient regular expression matching architecture for text analytics , 2014, 2014 IEEE 25th International Conference on Application-Specific Systems, Architectures and Processors.

[22]  Meng-Fan Chang,et al.  ReRAM-based 4T2R nonvolatile TCAM with 7x NVM-stress reduction, and 4x improvement in speed-wordlength-capacity for normally-off instant-on filter-based search engines used in big-data processing , 2014, 2014 Symposium on VLSI Circuits Digest of Technical Papers.

[23]  Min Chen,et al.  Chain-Based DFA Deflation for Fast and Scalable Regular Expression Matching Using TCAM , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[24]  H. Jonathan Chao,et al.  Scalable Lookahead Regular Expression Detection System for Deep Packet Inspection , 2012, IEEE/ACM Transactions on Networking.

[25]  Anat Bremler-Barr,et al.  CompactDFA: Scalable Pattern Matching Using Longest Prefix Match Solutions , 2014, IEEE/ACM Transactions on Networking.

[26]  Rajeev Rastogi,et al.  Scalable regular expression matching on data streams , 2008, SIGMOD Conference.

[27]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[28]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[29]  Jonathan S. Turner,et al.  Advanced algorithms for fast and scalable deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[30]  Xing Wang,et al.  MEMORY-Based Hardware Architectures to Detect ClamAV Virus Signatures with Restricted Regular Expression Features , 2016, IEEE Transactions on Computers.

[31]  Tien-Fu Chen,et al.  A Scalable High-Performance Virus Detection Processor Against a Large Pattern Set for Embedded Network Security , 2012, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[32]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[33]  Christoph Hagleitner,et al.  Designing a Programmable Wire-Speed Regular-Expression Matching Accelerator , 2012, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture.

[34]  Victor C. Valgenti,et al.  Hybrid Regular Expression Matching for Deep Packet Inspection on Multi-Core Architecture , 2010, 2010 Proceedings of 19th International Conference on Computer Communications and Networks.

[35]  Eric Torng,et al.  Fast Regular Expression Matching Using Small TCAM , 2014, IEEE/ACM Transactions on Networking.

[36]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[37]  Yacine Challal,et al.  A Systemic Approach for IoT Security , 2013, 2013 IEEE International Conference on Distributed Computing in Sensor Systems.

[38]  Y. Weinsberg,et al.  High performance string matching algorithm for a network intrusion prevention system (NIPS) , 2006, 2006 Workshop on High Performance Switching and Routing.

[39]  Betsy George,et al.  New algorithms for pattern matching with wildcards and length constraints , 2015, Discret. Math. Algorithms Appl..

[40]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[41]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[42]  Cheng-Hung Lin,et al.  Efficient Pattern Matching Algorithm for Memory Architecture , 2011, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[43]  Patrick Crowley,et al.  Extending finite automata to efficiently match Perl-compatible regular expressions , 2008, CoNEXT '08.

[44]  Meng-Fan Chang,et al.  Energy-efficient non-volatile TCAM search engine design using priority-decision in memory technology for DPI , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[45]  Li Guo,et al.  An efficient regular expressions compression algorithm from a new perspective , 2011, 2011 Proceedings IEEE INFOCOM.